问题描述
我正在使用 bouncyCastle 库,并为 SSL 通信启用了 FIPS 模式。所以,我在 java.security 文件中只有 3 个提供者,如下所示:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
@H_404_4@我编写了一个简单的程序来测试与我们网站的连接:
// enable revocation check
System.setProperty("com.sun.net.ssl.checkRevocation","true");
// enable CDP
System.setProperty("com.sun.security.enableCRLDP","true");
System.setProperty("org.bouncycastle.x509.enableCRLDP","true");
// disable OCSP
Security.setProperty("ocsp.enable","false");
URL url = new URL("<my-web-site>");
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.connect();
@H_404_4@但是连接失败并出现以下错误:
org.bouncycastle.tls.TlsFatalAlert: certificate_unkNown(46)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:134)
at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:335)
at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4544)
at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:842)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:728)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:652)
at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:548)
at org.bouncycastle.tls.RecordStream.readRecord(RecordStream.java:232)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(TlsProtocol.java:800)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(TlsProtocol.java:396)
at org.bouncycastle.tls.TlsClientProtocol.connect(TlsClientProtocol.java:91)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(ProvSSLSocketDirect.java:430)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(ProvSSLSocketDirect.java:411)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
at com.test.TestConnection.main(TestConnection.java:153)
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
at org.bouncycastle.jsse.provider.Provx509trustmanager.validateChain(Provx509trustmanager.java:308)
at org.bouncycastle.jsse.provider.Provx509trustmanager.checkTrusted(Provx509trustmanager.java:267)
at org.bouncycastle.jsse.provider.Provx509trustmanager.checkServerTrusted(Provx509trustmanager.java:174)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:130)
... 16 more
Caused by: java.security.cert.CertPathBuilderException: Certification path Could not be validated.
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(UnkNown Source)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at org.bouncycastle.jsse.provider.Provx509trustmanager.buildCertPath(Provx509trustmanager.java:240)
at org.bouncycastle.jsse.provider.Provx509trustmanager.validateChain(Provx509trustmanager.java:295)
... 19 more
Caused by: java.security.cert.CertPathValidatorException: No CRLs found for issuer "CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies,Inc.",L=ScottsDale,ST=Arizona,C=US"
at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.processCertA(UnkNown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathValidatorSpi.engineValidate(UnkNown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.build(UnkNown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.build(UnkNown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.build(UnkNown Source)
... 23 more
Caused by: org.bouncycastle.jcajce.provider.AnnotatedException: No CRLs found for issuer "CN=Starfield Services Root Certificate Authority - G2,C=US"
at org.bouncycastle.jcajce.provider.CertPathValidatorUtilities.getCompleteCRLs(UnkNown Source)
at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.checkCRL(UnkNown Source)
at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.checkCRLs(UnkNown Source)
... 28 more
@H_404_4@我已检查证书链中的每个证书中是否配置了有效的 CRLDP。以下是证书链的样子(蓝色突出显示的 CA 证书存在于我的 JDK 信任库中):
在没有 bouncyCastle(使用默认 JDK 提供程序)的情况下,相同的代码运行良好(连接成功)。但是,要使其与 bouncyCastle 配合使用,我需要将整个证书链放入我的信任库(包括最终实体证书) - 这是非常不切实际的。
谁能帮我解决这里的问题?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)